Under the advise of the 3rd party I have added the following to squid.conf acl Java browser Java/1.4 Java/1.5 Java/1.6 http_access allow Java This appears to resolve the issue. However I would like to better understand it the above line, and whether it is an acceptable full-time solution, or merely a workaround. Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY -----Original Message----- From: Paul Cocker Sent: 18 September 2007 19:52 To: squid-users@xxxxxxxxxxxxxxx Subject: Java authentication under SquidNT 2.6 STABLE 14 using NTLM Last week (Thursday/Friday) my organisation moved from SquidNT 2.5 to SquidNT 2.6 STABLE 14. We use a Java applet which generates parcel tags and prints them off. It was working fine... until today. We are running Java 6 Update 2 and users connect using NTLM passthrough authentication, squid looks to see that they are a member of group X before allowing them access. Java is setup to use the same settings as the browser. We are seeing the following in the console output java.lang.NullPointerException at sun.net.www.protocol.http.NTLMAuthentication.setHeaders(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.doTunneling(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Un known Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at sun.plugin.PluginURLJarFileCallBack$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source) at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source) at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Un known Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source) at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source) at sun.misc.URLClassPath$JarLoader.access$600(Unknown Source) at sun.misc.URLClassPath$JarLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.misc.URLClassPath$JarLoader.ensureOpen(Unknown Source) at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source) at sun.misc.URLClassPath$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.misc.URLClassPath.getLoader(Unknown Source) at sun.misc.URLClassPath.getLoader(Unknown Source) at sun.misc.URLClassPath.getResource(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at sun.applet.AppletClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.applet.AppletClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.applet.AppletClassLoader.loadCode(Unknown Source) at sun.applet.AppletPanel.createApplet(Unknown Source) at sun.plugin.AppletViewer.createApplet(Unknown Source) at sun.applet.AppletPanel.runLoader(Unknown Source) at sun.applet.AppletPanel.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Having spoken to a chap at the company behind the software he indicated that this is a problem with the passthrough authentication, which is further supported by the fact that if we take a workstation which runs this application and give it a direct connection to the Internet, everything works just fine. Yet, as I say, we upgraded last week and it was working fine on Monday and nothing has been changed in the config since, though the service was restarted this morning. I am seeing quite a few TCP/DENIED entires in the access.log file relating to the site in question: TCP_DENIED/407 1789 CONNECT web.site.com:443 - NONE/- text/html TCP_DENIED/407 2035 CONNECT web.site.com:443 - NONE/- text/html I note from the logs that where we register NONE, there should be the username of the individual in question. Any help would be much appreciated. Paul Cocker IT Systems Administrator IT Security Officer 01628 81(6647) TNT Post (Doordrop Media) Ltd. 1 Globeside Business Park Fieldhouse Lane Marlow Bucks SL7 1HY TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.